On 19 November 2025, the European Commission published the Digital Omnibus proposal. It is designed to simplify and align parts of the EU digital rulebook, including updates that affect GDPR, cookie consent, incident reporting, and AI-related topics.

This is not law yet. The text is still at an early stage and can change during negotiations. Until anything is adopted and becomes applicable, your current GDPR and ePrivacy approach remains the baseline.

At a glance

What to watch most closely as a publisher, advertiser, or website operator:

• Clearer banner requirements (equal Accept and Reject)
• Limits on repeated prompts after a refusal
• Browser or OS level preference signals that sites may need to respect
• More standardization for DPIAs and breach notifications

1) Cookie consent: the practical changes

Cookie rule moved into the GDPR

The proposal would move the ePrivacy cookie rule into the GDPR as a new Article 88a. Consent stays the general rule for storing or reading information on a user’s device, but the proposal adds more detail on how this should work in practice.

A closed list of “no consent needed” cases

The proposal includes a defined list of exceptions, including:

• Transmission
• Strictly necessary cookies
• First-party audience measurement for your own services
• Security of the service or device

Banner UX: Accept and Reject must be equally easy

The proposal would require one-click Accept and one-click Reject, with no extra steps for refusal.

Fewer repeat prompts after a refusal

After a refusal, sites would not be allowed to keep asking again for at least six months, unless something relevant changes in your processing activities.

What stays the same

Consent would still be required for advertising, profiling, cross-site tracking, and third-party analytics.

2) Preference signals: what “browser-level consent” could look like

The proposal introduces machine-readable preference signals (Article 88b). The idea is that users can set a preference in a browser or operating system, and websites should read and respect it automatically.

Two points to plan for:

• Banners will still exist for a long time, because not everyone will use browser settings and adoption takes time.
• Even with signals, you still need a CMP-grade operational layer to apply choices correctly across purposes and vendors, and to keep proof.

There is also an exception worth noting: the proposal says media service providers would be exempt from the obligation to respect these signals.

3) Beyond cookies: changes compliance teams should note

DPIAs and breach notifications could become more standardized

The proposal expects EU-wide lists plus common templates and methods for DPIAs, and standard templates and criteria for high-risk breach notifications. This is intended to reduce inconsistency across member states.

One EU entry point for incident reporting

The proposal introduces a single EU entry point for cybersecurity and personal data incident reporting, aiming to reduce duplicate reporting across regimes.

AI training and personal data

The proposal’s recitals indicate that using personal data to train, test, and validate AI systems could rely on legitimate interest, but only with strict safeguards like transparency, an unconditional right to object, and privacy-preserving techniques.

4) What does it mean for cookie banners

You do not need to take action because of the Digital Omnibus today. It is still a proposal, and the current GDPR and ePrivacy rules remain the reference point until anything is adopted and becomes applicable.

What you should focus on instead is the basics that keep working, even when rules evolve:

• Make it easy for people to understand what you do and why, with clear and accessible privacy and cookie information
• Collect consent where it is required and keep reliable records, especially for advertising, re-marketing, and cross-site tracking
• Use your CMP to enforce choices consistently, so tags and vendors only fire when they should
• Keep preference changes simple, and ensure updates flow through to the rest of your stack, such as ad platforms, analytics, and CRM tools

Our stance

We support changes that reduce consent fatigue and make consent flows easier to understand. At the same time, simplification must not weaken transparency or real choice. Preference signals can help, but they should be interoperable and work with consent infrastructure, not replace it. A CMP remains the layer that turns user choices into consistent technical enforcement and reliable proof.